CrowdStrike Configuration Profile | BigSur

fsurucu
New Contributor III

If you have to install version 6 and above of crowdstrike on bigsur, have to install their unsigned profile first. This profile only be uploaded and distributed with MDM solutions.

In order to upload to MDM, that profile needs to be signed first.

Original location of the profile --- > https://supportportal.crowdstrike.com/s/article/Tech-Alert-Preparing-for-macOS-Falcon-Sensor-6-11

1 - Follow Steps explained here,
https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority

If jamf freezes during generate of pem, ignore it & refresh the page

2- After it is generated under keychain, please locate the certificate and look for "Subject Key Identifier" Value. Copy it to clipboard and remove spaces.

3- Generate signed version of the mobile config profile following below command at terminal

sudo /usr/bin/security cms -S -Z SubjectKeyIdentifierValue -i ActualPathofUnSignedProfile -o OutPutWhereYouLiketoSaveSignedProfile

112 REPLIES 112

ubcoit
Contributor

@mallen13

Yes, I see I missed a command there. I already snapped my VM back so I couldn't run the command. Just running through some more tests.

Q. The sql information output, I'm guessing that is kernel extensions and not system extensions?

I ask because I just removed the kernel extensions from my profile, applied the profile to the system, rebooted. Installed CrowdStrike, within 10 seconds of it installing, I disabled network and let the system idle. Not prompts, Falcon is running. When I checked systemextensionsctl list I see the System Extension. When I run the sql commands, I see nothing listed which if these are kernel extensions, that's expected. Enabled network again, wait, 1-2 minutes usually but sometime longer but eventually the prompt comes up that System Extensions have been updated... Run systemextensionsctl list again, no obvious change from that output. But running the sql commands again I now have entries in there. This last go mine had a 20 at the end, not a 4. So is CrowdStrike still trying to load kernel extensions once it's talks back to the cloud? I'm just guessing here.

mallen13
New Contributor III

Well... so I guess that is the mystery then...

the dreaded "To finish the update, you must approve it in the Security & Privacy System Preferences" dialog is my arch-enemy at this point. - CS does do an update via it's own client.... but even though it's "trusted" -- it still produces this bleemin' dialog.
( on BigSur only.... Catalina seems to work as designed, and does not prompt... )

When I find a solution, I will certainly share it here... -- this is driving me CRAZY.... πŸ™‚
I was hoping you had gotten something back from CS/JAMF....

bf0762ce56024cff9a2002ac65935960

ubcoit
Contributor

@mallen13

I have a video of it but can't upload it here. 😞 But if in fact the output of sqlite is kernel extension related, isn't the problem with CrowdStrike as on Big Sur, their client should be using System Extensions ONLY and not attempting to do anything with kernel extensions?

To be honest, support from both have been on going but not overly helpful at this point. And to top it off, it's slow. Send email, wait a day, reply, wait a day... or longer. At some point someone needs to call someone and do a remote session. CS support is just pointing the finger at Jamf, not there problem. But if the above findings are correct, it seems to be there is a flaw in the CrowdStrike software if it's trying to use kernel extensions on Big Sur. I'm not a software engineer, I just have to deploy this stuff.

mallen13
New Contributor III

That is correct. -- BigSur should be using SYSTEMEXTENSIONS only, no longer KEXTs. -- but the CS template they provided covers both SYSEX and KEXT. ( hence my trying to separate them out... )

IKR? I feel you pain. -- the deployment seems to go smooth / quiet, but the 'update' is throwing the flag.

It sounds like you and I are in the same boat... fighting the same dialog box... sigh

Do let me know if you get anywhere... ( and yes, I have similar video I'm sure.... )
likewise, I'll let you know if I find an answer in the meantime. --- you are most likely correct though, CS is probably the party that needs to fix it... I'm sure you will notice that theirs ( and most vendors ) instructions read something like....

"Make sure you tell your end-user to click on the allow/ok button or the software will not function"

whereas clearly, we can NOT rely on end-users to allow something as critical as AV to function.... smh

mallen13
New Contributor III

@franton sorry to tag you / pull you into this... but is this the behavior you were able to circumvent by splitting out SYSEX / KEXT / PPPC and scoping out separately for Catalina vs. BigSur ?

I am having NO ISSUES on Catalina, but am fighting BigSur to avoid the 'allow update' prompt for CS

nascheid
New Contributor

I too am having difficulty getting the CS provided Profile to install on both Intel Big Sur and M1 Big Sur. I uploaded the Falcon Profile 4 times and trimmed them so I have 1 PPPC profile, 1 Sys Ext, 1 KExt, and 1 web filter profile. Same error as @davidi4 :

<Exception> -[__NSCFConstantString objectForKeyedSubscript:]: unrecognized selector sent to instance 0x7fff80233030

ubcoit
Contributor

@nascheid

Sorry, can't say I've seen that error yet. πŸ˜• Did you sign and upload the CS profile to your JSS? It needs to be signed first. Having said that, I don't think we need to use it and we can manually create it in JAMF, provided you are running the latest version 10.26.1. I haven't tested M1 yet, getting to it one of these days but it's my understanding it has it's own problems (need to separate profiles - kernel/system specifically) as well as the CS client isn't native.

@mallen13

CS support got back to me with the issue with the "Extensions have been updated prompt" and they believe it's a option called "Firmware analysis" and that it's using a kernel extension. I haven't confirmed this but I'm hoping to test this today with the Team that administrates CrowdStrike (I only install it). Perhaps you can test on your end if you have more access.

If this turns out to be the case, it does make sense, since CS runs fine until it talks back to the cloud to get it's settings. Also makes sense as to why it works for some and not others as it would depend if this feature is enabled or not.

mallen13
New Contributor III

It sounds like we're in the same boat. - I also just re-created the profile manually ( to separate SYSEX from KEXT )
Everything is working just fine for me on Catalina... -- no prompting, even on upgrade... but kexts/kext-trusts are/were employed.

BigSur is the one being a jerk. ( especially the M1, a.k.a. "crashy-boi" if you feed it any sort of legacy config-profile... )
It does also seem that machines (intel) STARTING on Catalina, with my 'both kext+sysex' config-profiles present BEFORE the BigSur upgrade, don't get angry.... ( still testing this... )

I'll see if I can get the 'Firmware analysis' bit flipped off for me // get my own CS thread going.
I'll let you know when I get somewhere.

It does seem like maybe a bit of progress is being made...
( 6.12 -> 6.14 ; 6.14 -> 6.15 / 6.16.... all seem to behave just a little differently.... )

ghart
New Contributor II

Hi all... I faced a similar issue and I think I've got it resolved (at least on our fleet of Intel MBPs). I had to manually edit the CrowdStrike provided profile to disable the ability to approve system extensions and kernel extensions. I'll put my modified falcon profile below. Feel free to copy and paste into your plaintext editor of your choice, save as a .mobileconfig file and sign it using JAMFs instructions. You WILL have to sign it before uploading it so that JAMF doesn't alter it... JAMF doesn't play nice with the system extension payloads and doesn't translate them into the GUI properly if the profile is unsigned.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>FilterBrowsers</key>
            <false/>
            <key>FilterDataProviderBundleIdentifier</key>
            <string>com.crowdstrike.falcon.Agent</string>
            <key>FilterDataProviderDesignatedRequirement</key>
            <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
            <key>FilterGrade</key>
            <string>inspector</string>
            <key>FilterPacketProviderBundleIdentifier</key>
            <string>com.crowdstrike.falcon.Agent</string>
            <key>FilterPacketProviderDesignatedRequirement</key>
            <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
            <key>FilterPackets</key>
            <false/>
            <key>FilterSockets</key>
            <true/>
            <key>FilterType</key>
            <string>Plugin</string>
            <key>Organization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadDisplayName</key>
            <string>Web Content Filter</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.webcontent-filter.2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string>
            <key>PayloadType</key>
            <string>com.apple.webcontent-filter</string>
            <key>PayloadUUID</key>
            <string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PluginBundleID</key>
            <string>com.crowdstrike.falcon.App</string>
            <key>UserDefinedName</key>
            <string>Falcon</string>
        </dict>
        <dict>
            <key>AllowedTeamIdentifiers</key>
            <array>
                <string>X9E956P446</string>
            </array>
            <key>PayloadDescription</key>
            <string>Controls the system extension loading/unloading</string>
            <key>PayloadDisplayName</key>
            <string>App System Extension Control</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.system-extensions.admin.E45B5986-74A6-4B6A-A4CA-E179516A7F52</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.system-extensions.admin</string>
            <key>PayloadUUID</key>
            <string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string>
        </dict>
        <dict>
            <key>AllowUserOverrides</key>
            <false/>
            <key>AllowedTeamIdentifiers</key>
            <array>
                <string>X9E956P446</string>
            </array>
            <key>PayloadDescription</key>
            <string>Configures Kernel Extension Policy settings</string>
            <key>PayloadDisplayName</key>
            <string>Kernel Extensions</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.syspolicy.kernel-extension-policy.5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.syspolicy.kernel-extension-policy</string>
            <key>PayloadUUID</key>
            <string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string>
        </dict>
        <dict>
            <key>PayloadDescription</key>
            <string>Configures Privacy Preferences Policy Control settings</string>
            <key>PayloadDisplayName</key>
            <string>Privacy Preferences</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.TCC.configuration-profile-policy.9A10BE5D-5E46-4C22-89C9-20597A04B616</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string>
            <key>Services</key>
            <dict>
                <key>SystemPolicyAllFiles</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.crowdstrike.falcon.Agent</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                        <key>StaticCode</key>
                        <false/>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.crowdstrike.falcon.App</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                        <key>StaticCode</key>
                        <false/>
                    </dict>
                </array>
            </dict>
        </dict>
        <dict>
            <key>AllowUserOverrides</key>
            <false/>
            <key>AllowedSystemExtensionTypes</key>
            <dict>
                <key>X9E956P446</key>
                <array>
                    <string>EndpointSecurityExtension</string>
                    <string>NetworkExtension</string>
                </array>
            </dict>
            <key>AllowedSystemExtensions</key>
            <dict>
                <key>X9E956P446</key>
                <array>
                    <string>com.crowdstrike.falcon.Agent</string>
                </array>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures System Extensions Policy settings</string>
            <key>PayloadDisplayName</key>
            <string>System Extensions</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.system-extension-policy.20258B06-5866-4424-8893-A3AF1AFAAEDC</string>
            <key>PayloadOrganization</key>
            <string>CrowdStrike Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.system-extension-policy</string>
            <key>PayloadUUID</key>
            <string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Kernel Extensions, System Extensions, and Privacy Preferences</string>
    <key>PayloadDisplayName</key>
    <string>Falcon Profile</string>
    <key>PayloadEnabled</key>
    <true/>
    <key>PayloadIdentifier</key>
    <string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string>
    <key>PayloadOrganization</key>
    <string>CrowdStrike Inc.</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>BED12142-1459-41BF-B50B-66A27E702725</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Edit: I can't word good.

mallen13
New Contributor III

I think I've got literally every other key in there except my profile is set true here...

" <key>AllowUserOverrides</key> <false/>
"

Thanks! -- will dig into/try this.

ghart
New Contributor II

That key, in both the System Extensions and Kernel Extensions payload/sections, was the only change I made to CrowdStrike's profile. What's so terrible about this is that pretty much any app you can use to build profiles doesn't recognize the Kernel Extension or System Extension payloads, so you're forced into manually editing and referring to Apple's developer docs to make sure you're not breaking something.

mallen13
New Contributor III

I'm going to fresh load another BigSur test machine to be sure... but I think you might have hit the nail on the head...

Hey JAMF.... feature request: change "Allow Users to approve system extensions" to: "Prompt Users to approve system extensions" πŸ™‚

and yes, I agree. -- as slick as CS was out of the gate... I'd really love to see them get on top of this kind of thing... ( and an arm64 port... )
2d047bfd1b224dc58b6047eca0aaf67a

mallen13
New Contributor III

So it was a combination of things...

Removing the check-box for 'Allow Users to approve system extensions' helped... but the final nag was, indeed, the 'BIOS/Firmware Standard Visibility' -- I managed to get our Sr. CS admin to DISABLE this feature in my test group, and now there are no more KEXTs in play. -- no prompts...

ubcoit
Contributor

@mallen13

Also confirmed on my end. Disabling the BIOS/Firmware feature has resolved the additional prompt to approve the KEXT. CS support is now aware of the issue but unsure if they can work around it.

I need to spend some time now building out the configuration profiles separately and testing again to confirm.

KBNet
New Contributor II

@mallen13

So unchecking the "allow users to approve system extensions" actually worked? I don't have the Firmware / BIOS Standard Visibility enabled, so I'm not hung up on a kext but I still am getting prompts to enable the system extension.

Even running

systemextensionsctl list

shows me that the system extension is "loaded" but waiting on user approval, which I want to avoid.

What version of CS are you running that played nicely for you?

ubcoit
Contributor

@KBNet

I've been testing with 6.14.12704 at this point. I'm just in the process of moving my profiles from dev to prod to test things again. I'm separating my profiles into each component, PPPC, KEXT, System Ext and Content and will test again. I'm building all my profiles off the CS provided profile, to the best of my knowledge. Having said that, I have successfully applied PPPC, System Ext and Content to a Big Sur 11.1 workstation without reboot. Clean machine, enroll to jamf, on enrollment profiles are applied, install CS, no prompts, everything is happy since Firmware/bios is now disabled. On this test, this is what my System Extension looked like but in prod once I test again I plan all mirroring the settings in the provided CS profile that are available in Jamf. Are they all required, no idea! I'd hope CS knows better than me.

b9870f5a60a346fe9b6e8f77a89c84b1

ubcoit
Contributor

@KBNet

And just cause I'm all setup for this, I snapped my vm back and retested with "Allow users to approve system extensions" enabled in the above System Extension profile and tested, no prompts again. In the CS provided profile this option is selected.

KBNet
New Contributor II

@ubcoit

Thanks for the details. Was this on a fresh install of Big Sur? I am attempting to upgrade machines. specifically from varying versions of macOS (Mojave and Catalina are really the two big ones).

My process is: upgrade CS from 6.15 to 6.16, install the profiles prior to upgrade (no prompts received on old macOS versions), upgrade straight to Big Sur, wait the 30 minutes to only be devastated by the "System Extension Blocked" pop-up after the upgrade.

950f2da66f3f43bbb89dddd4e155a8e9

I feel like I've been through absolutely everything to try to figure this out, and I can't. I just want to confirm, with the profiles you have your users are not seeing a single prompt (i.e. the one above)?

I have also decided to abandon the CS profile and roll my own. The system extension from what I can tell is identical to yours, and I still get the bloody prompts.

PPPC:
654efd865a4144daae7695a17e144a72
Content Filter:
e2f2d9b28ef94eb8b8a180e9b8940029
System Extension:
babbfb01959b4537afac432b208feb91

Ultimately, after running the cmd to show the loaded extensions, I see that it is there and activated but for some reason waiting for the user, which I want to avoid.

9756c15ebaee44a48465011ff98674a3

We don't have firmware analysis on so a kext isn't needed either.

We have a ticket open with CS but I am a little worried that they will push the blame onto Jamf as others have described here.

I feel like my scenario of installing CS then upgrading to BS might be the cause here. I think it might be time I roll up a fresh install of Big Sur and see if that works, rather than an upgrade. If that's the case though, I'm not quite sure how we're going to handle the plethora of machines not running BS.

Have you had an upgrade path work with CS and Big Sur with this profile, where users are not required to approve the system extension?

ubcoit
Contributor

@KBNet

I suspect your issue is the upgrade and you are having any number of problems. Notice the prompt is mentioning Falcon instead of CrowdStrike Inc? I believe this is because in 10.15 and earlier the process for CrowdStrike is falcond but in Big Sur the process is called com.crowdstrike.falcon.Agent. It's also possible that even though the profile was installed in 10.15, the system extensions aren't used and therefore aren't installed/linked or whatever happens in the backend. When you upgrade to Big Sur they can't load or something. Perhaps try applying new profiles once you upgrade to Big Sur? But then you'll also have the falcond vs com.crowdstrike.falcon.Agent issue until "something" triggers that switch, 30 minutes later?

Have you checked to see if "falcond" is actually a KEXT and not a System Extension?

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
select from kext_policy_mdm;
select
from kext_policy;

TBH, this has certainly been a mess. I'm not sure we'll be able to do much in an upgrade scenario.

KBNet
New Contributor II

@ubcoit

I'll have to do some further testing but it seems like you might be right, installing CS once Big Sur is installed seems to work the best, no prompts using the same profiles. I'm still testing though, but initially that seems to be the case.

Just checking though, have you been able to upgrade between OS versions without prompts from CS after the upgrade?

ubcoit
Contributor

@KBNet

No, I've only tested on a clean Big Sur. I'm in the process right now of spinning up and updating three VM's, 10.13, 14 and 15 to confirm these profiles work correctly on them (they should). From there, I'll upgrade one or all of them to BS and see what happens. I'm expecting prompts. Even if you create your System Extensions profile and only deploy it to BS when the machine comes back online, CS will load and the profile won't have applied yet since Jamf won't know the machine has upgrade until an inventory runs. Pretty sure we are screwed. πŸ™‚

KBNet
New Contributor II

@ubcoit

Please let me know how your testing goes, I'm curious to see if your results are different to mine. I really hoped that once the system extension profile was deployed the system wouldn't care if CS tried loading before or not, but I fear that is the case.

Maybe BS 11.2 changes that... or more realistically it will make it worse.. πŸ˜›

Jason33
Contributor II

@KBNet I have done upgrades from both Mojave and Catalina, and still get prompted that a system extension was blocked from running. I'd not received any prompts or warning messages prior to upgrading to Big Sur.

KBNet
New Contributor II

@Jason33

Thanks - did some testing this morning and it looks like if I uninstall CS before the upgrade from Catalina to Big Sur, then upgrade to BS, then reinstall CS the profile works fine. Just seems the upgrade is the cause.

11.2 released today, here's hoping that there are some changes that address this but I'm not holding my breath.

bilal_habib
New Contributor III

Just an fyi, if you load the system extension payloads whilst on Mojave and then upgrade to Big Sur the system extension payloads will not be recognised hence the "Falcon" prompts.

You can read more at the macadmins slack community on the crowdstrike_falcon channel

ubcoit
Contributor

@KBNet @Jason33 @bilal.habib

I've now completed some macOS upgrades and to my surprise I haven't been prompted after upgrading. ??? This wasn't expected.

My profiles, all are separate scoped to the appropriate version of macOS.

CrowdStrike Content Filter - Scope = macOS 10.15 or later
48c51c83f8a24a8e9834a4d20bb9f707
CrowdStrike Kernel Extensions - Scope = macOS 10.13.2 to macOS 10.15.x
654d4a664629493da1c5bbdc08d173ee
CrowdStrike PPPC - Scope = macOS 10.14 or later
ed76be1c3d3c4669bb1d716341ee49ff
dcd783d5cc6140ab8eb14241d2589bb2
CrowdStrike System Extensions - Scope = macOS 10.15 or later
71de6d92fc6b49cab6c219b7ff523edf
6a012865917749a6936039ffbfedcbc8
e1aba0d1f6d84cbdad7e91d0fc1bce46

macOS 10.13.6, CrowdStrike 5.34.11501
Configuration Profile assigned before installation:
- CrowdStrike Kernel Extensions

Process β€˜falcond’ runs after installation with no prompts. Waited 5 minutes, rebooted, no prompts, falcond is running.

Upgraded 10.13.6 to Big Sur 11.1. falcond is running, no prompts but when I run falconctl stats, errors out. All communication with the console is lost. Expected since 5.34 isn’t Big Sur compatible.

macOS 10.14.6, CrowdStrike 6.12.125.05
Configuration Profile assigned before installation:
- CrowdStrike Kernel Extensions
- CrowdStrike PPPC

Process β€˜falcond’ runs after installation with no prompts. Waited 5 minutes, rebooted, no prompts, falcond is running.

Did not upgrade macOS.

macOS 10.14.6, CrowdStrike 6.16.129.03
Configuration Profile assigned before installation:
- CrowdStrike Kernel Extensions
- CrowdStrike PPPC

Process β€˜falcond’ runs after installation with no prompts. Waited 5 minutes, rebooted, no prompts, falcond is running.

Did not upgrade macOS.

macOS 10.15.7, CrowdStrike 6.12.125.05
Configuration Profile assigned before installation:
- CrowdStrike Content Filter
- CrowdStrike Kernel Extensions
- CrowdStrike PPPC
- CrowdStrike System Extension

Process β€˜falcond’ runs after installation with no prompts. Waited 5 minutes, rebooted, no prompts, falcond is running.

Upgraded 10.15.7 to Big Sur 11.2. falcond is running, no prompts (rebooted multiple times) client is still communicating with the Crowdstrike console. Sent an upgrade to the client (6.17) from the console and it updated and the process changed from falcond, to com.crowdstrike.falcon.Agent, no prompts came up. Rebooted the system, no prompts.

macOS 10.15.7, CrowdStrike 6.16.129.03
Configuration Profile assigned before installation:
- CrowdStrike Content Filter
- CrowdStrike Kernel Extensions
- CrowdStrike PPPC
- CrowdStrike System Extension

Process β€˜falcond’ runs after installation with no prompts. Waited 5 minutes, rebooted, no prompts, falcond is running.

macOS 11.1, CrowdStrike 6.14.12704
Configuration Profile assigned before installation:
- CrowdStrike Content Filter
- CrowdStrike PPPC
- CrowdStrike System Extension

Process com.crowdstrike.falcon.Agent runs after installation with no prompts. Waited 5 minutes, rebooted, no prompts, com.crowdstrike.falcon.Agent is running.

macOS 11.1, CrowdStrike 6.16.129.03
Configuration Profile assigned before installation:
- CrowdStrike Content Filter
- CrowdStrike PPPC
- CrowdStrike System Extension

Process com.crowdstrike.falcon.Agent runs after installation with no prompts. Waited 5 minutes, rebooted, no prompts, com.crowdstrike.falcon.Agent is running.

LovelessinSEA
Contributor II

Has anyone been able to get the PPPC portion of the profile to work? I'm not getting any prompts for the system extension surprisingly. But i'm unsure if the PPC is actually working. When running:

sudo sqlite3 /Library/Application Support/com.apple.TCC/TCC.db 'select * from access'

the com.crowdstrike.falcon.agent nor the com.crowdstrike.falcon.app are showing up as been given access.

KBNet
New Contributor II

@ubcoit

This is pure gold, and I think you may have determined my problem. I just went through an upgrade on CS 6.15.12805 from Catalina 10.15.7 to Big Sur 11.2 where the profiles were not previously installed on Catalina, and it worked. I scoped the profiles to only install once the machine hits Big Sur, and not a single prompt and we're communicating with CS.

I was assuming that the profile should be installed prior to the upgrade, but I'm now wondering if that's causing my issues. More testing tomorrow, that's for sure!

mallen13
New Contributor III

This has gone of the rails a bit ( understandably )
Hopefully with the info in this thread, most everybody has figured out the essential elements for each...

Catalina ( PPPC / KEXT / SysEx )
BigSur ( PPPC / SysEx, no-kext )

@ubcoit I'm not having issues at all in the following scenarios (**as long as 'Firmware / BIOS Standard Visibility' is disabled.... )

Catalina FreshLoad - CS5.x through 6.16
Catalina -> BigSur Self-Service Upgrade - CS6.14 through CS6.16
BigSur FreshLoad - CS6.14 through 6.16

Has anybody had any luck with 'Firmware / BIOS Standard Visibility' enabled for BigSur FreshLoad ?
it apparently still utilizes a KEXT when enabled...

My support case with CS essentially ended with something to the order of.... "yeah, we're workin on it...."

ubcoit
Contributor

@LovelessinSEA

I get no prompts for anything including PPPC as per my config/settings above in any OS now. I have not tested Big Sur on M1.

ubcoit
Contributor

@KBNet

On the upgrade from macOS 10.15 to Big Sur I had already applied the System Extensions to 10.15 prior, as 10.15 is compatible with System Extensions is/was my understanding. Everything is now working without prompts.

LovelessinSEA
Contributor II

@ubcoit Yeah i'm not getting any prompts at all, but i'm unsure if the PPPC policy is actually working. Anyone know how to test FullDiskAccess for crowdstike? we just opened a ticket with them, hopefully we can get them on the phone soon to figure out what the expected experience should be.

ubcoit
Contributor

@mallen13

Good summary. Yes, no problems for me either once the bios/firmware feature was disabled.

I'm sure CrowdStrike will fix this at some point, now that they are aware of it. Or here's hoping...

ubcoit
Contributor

@LovelessinSEA

Ya, that's a fair point! I have no idea if the software works but it installs now, runs and doesn't prompt me. lol

danny_gutman
New Contributor III

How are you guys suppressing Falcon Notifications prompt? I see no one talked about this on any other threads.

You guys are getting a prompt to approve or deny Notifications for Falcon?

bilal_habib
New Contributor III

@danny.gutman Use a profile editor of your choice and then decide how you want it handled 25526d4d257a4cc0a5b5ec6ae4f3958e

user-UUpXyPmFfV
New Contributor

Saw a Falcon Notifications prompt for the first time today, didn't even know what Falcon was so clicked Deny.

Then I realized Falcon Notifications may need to show important security notifications, but couldn't find Falcon in the Notification Setting app list.

How do I get to finally Allow Falcon Notifications after having Denied it in the initial prompt?

jimmyvalessu
New Contributor II

@danny.gutman This custom manifest approach worked well for me as a starting point: https://github.com/talkingmoose/jamf-manifests/blob/master/macOS%20Notifications%20(com.apple.notificationsettings).json

But with 10.27 just released, we can now do this natively with the new Notifications payload, so we'll be replacing the above implementation with a native method.

B-35405
Contributor

I didn't read this whole convo, but I made this myself and all "things" Crowdstrike and Falcon work perfectly. The Profile provided by CS did not work. I built one myself. I don't even think you need the Approved Kernel Extensions payload any longer, just the sys ext one.
a71de3f90d6b41b78625137ab02d5fef

JarvisUno
Contributor II

@B-35405 Can you please post the manual text information underneath it, it would be a tremendous help.
I can see its a pretty big Payload and would like to see what you have in each section for testing on my end.

Thanks in Advance.